Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 27 subscribers
  • Views 14492 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cluster XG 310 - Snort 100% - Firewall block all traffic and routing

SimoneMontagnani

Hi all,

 

I have an XG310 cluster, last updated last friday to v16 , hoping that something was fixed.

I experienced random firewall stop of functionality, I can access only to firewall web administration if I am on the same LAN subnet, other traffic is blocked , no routing, public web/mail sites blocked.

I have updated the XG Version all time long ( since April this year ) months that sometimes everything locks down...the only solution is a reboot of the device , after that everything is fine.

While the system is locked, I can access via SSH to the appliances and overtime the system is locked , I noticed snort process to 100% of cpu resources , if I kill that process everything restart instantaneously ...so maybe some IPS issue?  Anyone?

This is happening from the beginning of production, it's really frustrating , It's not a daily issue but at least one time every month...

Last but not least, I passed through the support with no luck months ago...

thanks in advance,

 

Simone

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi Simone and Welcome to Sophos Community,

    If the IPS service i.e., snort is taking high CPU usage, please check if any IPS policy is applied on the firewall rules. Check the IPS live logs and verify if any signature is detected frequently. If it is showing lots of IPS alerts with only one or two IPS signatures, please disable the same signatures from the IPS policy.
     
    Thanks
Reply
  • 0

    Hi Simone and Welcome to Sophos Community,

    If the IPS service i.e., snort is taking high CPU usage, please check if any IPS policy is applied on the firewall rules. Check the IPS live logs and verify if any signature is detected frequently. If it is showing lots of IPS alerts with only one or two IPS signatures, please disable the same signatures from the IPS policy.
     
    Thanks
Children
  • 0 in reply to sachingurung

    Hi sachingurung,

     

    I tried to take a look to the logs when the problem occur , but like I said I haven't much time, next time I will try to take a look more closely to the IPS logs in Log viewer. At this moment the situation is quiet enough so I cannot identify a specific problem.

    You say to disable frequent showing signatures eventually , do you mean for testing? In this case it's ok , otherwise I cannot disable IPS signatures permanently...this cluster I got ( 2xXG 310 ) is far overestimated for our network connection limits so I'm expecting easy manage of antivirus and IPS engines with our load even at the maximum speed...

     

    Regards,

    Simone

  • 0 in reply to SimoneMontagnani

    HI Simone, 

    By any chance have you log a case with Support , this needs to be carefully investigated for the root causes and also if you haven't please log a case and Private message me the Service Request .  

    Thanks and Regards

    Aditya Patel  | Network and Security Engineer 

  • 0 in reply to Aditya Patel

    Hi,

     

    Just for the record , after firmware update to v16, and the changes you suggest this problem occurs two times already.

    I thought this could be related to an hardware problem with one Appliance but it happened with both...

     

    Last time I check the processes running with top command in the advanced shell, snort was always at 99,9% but the overall CPU percentage was lower, so maybe this process use only one core of the multiprocessor CPU in the Appliance ?

    Regards,

    Simone

  • 0 in reply to SimoneMontagnani

    Simone,

    how is the situation with the support? I mean did you send the ticket to ?

    Thanks

  • 0 in reply to lferrara

    Yes I send the ticket, but I think I will need to investigate further with support opening a new ticket...

     

    Simone